Nicovs' Bloghttps://www.nicovs.be
Some Random SysAdmin StuffFri, 11 Dec 2015 10:09:26 +0000en-UShourly1https://wordpress.org/?v=4.8.8100388307Renewing (or enabling) Windows Remote Management (WinRM) over HTTPShttps://www.nicovs.be/renewing-or-enabling-windows-remote-management-winrm-over-https/
https://www.nicovs.be/renewing-or-enabling-windows-remote-management-winrm-over-https/#respondTue, 11 Apr 2017 14:34:15 +0000https://www.nicovs.be/?p=399Continue reading Renewing (or enabling) Windows Remote Management (WinRM) over HTTPS→]]>This post became possible due to the work done by these 2 persons:Laurie Rhodes and of course Vadims Podans
So don’t thank me for the “hard work” thank me only for the little adjustments that needed to be done to make this working…

So, the problem: Set up WinRM over HTTPs, so that you can securely remote manage a window server with WinRM and Powershell. Since we are sometimes cheap, we like to use a self signed certificate and work with firewalled servers so that not every1 can connect to the WinRM if they like to.
We once have set up WinRM on our remote server with a self signed certificate, but that worked for only 1 year and a few weeks/months. I say AND a few weeks/month because of the Spooky Certificate issue.
So today we ran into the issue that when trying to connect to our remote server we get this error:
WinRM testing failed with the following error:

Connecting to remote server XXX.XXX.XXX.XXX failed with the following error message: The server certificate on the destination computer (XXX.XXX.XXX.XXX:5986) has the following errors: The SSL certificate is expired.

Trying to renew this certificate is not easy, to I search together with my friend Google for a #HowToFixThis

Firstly, you need to remove the WinRM listener using the expired certificate :

Open an elevated command prompt or PowerShell prompt.

View the currently existing listener with the following command:

winrm get winrm/config/listener?Address=*+Transport=HTTPS

The CertificateThumbprint will match what is seen on the certificate.

To remove the listener use the following command:

winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

Secondly: Remove the expired certificate with MMC

Click Run, then type MMC.

Go to File > Add/Remote Snap-in.

Select Certificates then click Add.

Select the Computer Account option.

In the left-hand pane, expand Certificates > Personal > Certificates.

Right-click the certificate and click Delete.

Now, creating the certificate: I need to use the Enhanced version of the, due to limitations in the Windows 2012 New-SelfSignedCertificate Powershell Module.
Download New-SelfSignedCertificateEx.zip
Extract in to a folder somewhere (eg: D:\Tools)
Open and run in an Admin PS console:

Import-Module D:\Tools\New-SelfSignedCertificateEx.ps1

Create a 2nd file D:\Tools\CreateWinRMCert.ps1 with the following content:
Note: change 2 things in this script if wanted:
* On line that start with: New-SelfSignedCertificateEx -NotAfter (Get-Date).AddMonths(60)
to a value that you like. By default, not adding this variable, yournew certificate wil be valid for 12 months only.
* At the end of the script, change your export password-ExportPassword "S3cr3tP4ssw0rd"

Use the PFX generated in C:\Users\Administrator\AppData\Local\Temp\2 to import in your Client Server, using the Password provided above.
After Generating this Certificate, you need to configure the WinRM to use this certificate:

]]>https://www.nicovs.be/renewing-or-enabling-windows-remote-management-winrm-over-https/feed/0399SimpleSAMLphp and Apache2.4 with PHP-FPMhttps://www.nicovs.be/simplesamlphp-and-apache2-4-with-php-fpm/
https://www.nicovs.be/simplesamlphp-and-apache2-4-with-php-fpm/#respondThu, 11 Aug 2016 14:58:59 +0000https://www.nicovs.be/?p=389Continue reading SimpleSAMLphp and Apache2.4 with PHP-FPM→]]>When trying to use SimpleSamlPHP in an Apache 2.4 environment with PHP-FPM, you might get the error

After digging into this, it seems that it has to do with the fact that PATH_INFO is not used in in apache 2.4.11+’s mod_proxy_fcgi: see Apache mod_proxy_fcgi
where you can read:

When configured via ProxyPass or ProxyPassMatch,
mod_proxy_fcgi will not set the PATH_INFO environment variable.
This allows the backend FCGI server to correctly determine SCRIPT_NAME and Script-URI and be compliant with RFC 3875 section 3.3.
If instead you need mod_proxy_fcgi to generate a "best guess" for PATH_INFO, set this env-var.
This is a workaround for a bug in some FCGI implementations.
This variable can be set to multiple values to tweak at how the best guess is chosen (In 2.4.11 and later only):

To make sure that simplesaml works, without breaking anything else that “fixes paths”, I configured mod_proxy_fcgi by creating a /etc/apache2/mods-enabled/proxy_fcgi.conf file containing:

]]>https://www.nicovs.be/simplesamlphp-and-apache2-4-with-php-fpm/feed/0389Running multiple Redis instances on the same server.https://www.nicovs.be/running-multiple-redis-instances-on-the-same-server/
https://www.nicovs.be/running-multiple-redis-instances-on-the-same-server/#respondFri, 11 Dec 2015 10:09:26 +0000http://www.nicovs.be/?p=382Continue reading Running multiple Redis instances on the same server.→]]>Setting up multiple Redis instances on the same server is pretty easy, but if you want to be able to easily start/stop and restart instances, you’ll need to play with the init scripts of redis-server.

I needed this to be able to offer Redis buckets to different customers on a shared platform.

This is how I managed to set up multiple instances on the same server.
Since installing redis-server is out of the scope of this article, I’ll only explain what I did to manage multiple Redis Servers.

Once that is done, we need to add multiple config files for our different buckets:

mkdir /etc/redis/servers
cd /etc/redis/servers
vim www.nicovs.be.conf

And enter some config settings looking like this:

#Include the default redis settings
include /etc/redis/redis.conf
#Only enable 1 Database for this instance, not the default 16 (or change the default in /etc/redis/redis.conf to 1
databases 1
#Max amount of RAM this instance can use:
maxmemory 100mb
#If no TTL is being set by the application using this instance, this policy will evict all keys by an approximated LRU algorithm as long as we hit the memory limit.
maxmemory-policy allkeys-lru
#Placeholder to be able to save the DB to an rdb dump file.
#save 900 1
#save 300 10
#save 60 10000
#Pidfile
pidfile /var/run/redis/www.nicovs.be.pid
#Which Port to use for this instance
port 5033
#Where to log the output of this instance
logfile /var/log/redis/www.nicovs.be.log
# The RDB Dump base dir
dir /backups/redis
#The RDP Dump filename
dbfilename www.nicovs.be.rdb
## Security settings:
# Disable the config command, so that customers are not able to change the server config from command line.
rename-command CONFIG ""
requirepass aVery_Long_!1290-PasSwooo00Ord_ToProtectBruteForce

]]>https://www.nicovs.be/running-multiple-redis-instances-on-the-same-server/feed/0382Apache RewriteMap examplehttps://www.nicovs.be/apache-rewritemap-example/
https://www.nicovs.be/apache-rewritemap-example/#respondFri, 03 Oct 2014 14:51:54 +0000http://www.nicovs.be/?p=331Continue reading Apache RewriteMap example→]]>Today I needed to rewrite a list of about 1000 URL’s to a new location. Our product database was cleaned and new URL’s were created… Using RewriteMap from Apache’s Mod_rewrite comes in handy here.

In my case I needed to rewrite URL’s like this:

www.exampledomain.com/en/product1234/product_detail.php

to

www.exampledomain.com/en/travelbox_12/product_detail.php

Where in my URL’s I had a 1000 different ‘poducts1234’ to rewrite to a new URL.

Here’s the HOWTO:

Create a textfile on your server with 2 columns. Something that would look like this:

creates a condition that if the rewritemap contains the URI and the value is not “” (so an empty string) then it should perform the RewriteRule.

The rewrite rule itself is pretty obvious. It’ll rewrite the URL’s for which the rewritemap is found to the new product URL, and also keep the trailing parameters.

]]>https://www.nicovs.be/apache-rewritemap-example/feed/0331phpRedmin with apache, php5-fpm and mod_proxy_fcgihttps://www.nicovs.be/phpredmin-with-apache-php5-fpm-and-mod_proxy_fcgi/
https://www.nicovs.be/phpredmin-with-apache-php5-fpm-and-mod_proxy_fcgi/#respondMon, 22 Sep 2014 13:47:41 +0000http://www.nicovs.be/?p=327Continue reading phpRedmin with apache, php5-fpm and mod_proxy_fcgi→]]>With apache 2.4 and PHP5-FPM, the way to go is using mod_proxy_fcgi.

Since configuration of a normal proxy vhost configuration is out of the scope of this article, I will not explain how to do this. There are lots of resources out there to find on how to impelement this. If i find the time to make an article on this, i will do so…

So, today we were trying to configure phpredmin (imo the best Redis manamement tool out there) to work with Apache 2.4 using mod_proxy_fcgi to connect to PHP5-FPM.

We were having some issues with the configuration…The homepage was accessible, but all subpages were not proxied they they should. Pretty weird, as phpmemcachedadmin, phpmyadmin,… work without any special configuration on the apache side.

Hours of research led to the following fix: We created an extra vhost, and made some specific proxy rules in it:

While you can of course change the automysqlbackup script itself, to add the following line of code somewhere in the automysqlbackup script itself:

--ignore-table=mysql.events

The option above is not upgrade proof, as your automysqlbackup script might get overwritten by the new version.

There is however an easier option to accomplisch this, and keep the settings:

Modify or Create your ~/.my.cnf and add the following lines of code to the mysqldump section:

[mysqldump]
events
ignore-table = mysql.events

Hope this helps!

]]>https://www.nicovs.be/automysqlbackup-skipping-the-data-of-table-mysql-event/feed/0323MsSQL Database: Drop connectionshttps://www.nicovs.be/mssql-drop-connections/
https://www.nicovs.be/mssql-drop-connections/#respondFri, 20 Jun 2014 08:37:08 +0000http://www.nicovs.be/?p=316Continue reading MsSQL Database: Drop connections→]]>If you need to restore a Microsoft SQL Database, you might run into the problem that there are still users connection to the database.

It’s not easy to drop those connections… lots of info that I find on google use

]]>https://www.nicovs.be/mssql-drop-connections/feed/0316Puppet on Windows: set Administrator password to never expireshttps://www.nicovs.be/puppet-on-windows-set-administrator-password-to-never-expires/
https://www.nicovs.be/puppet-on-windows-set-administrator-password-to-never-expires/#respondFri, 17 Jan 2014 15:47:03 +0000http://www.nicovs.be/?p=293Continue reading Puppet on Windows: set Administrator password to never expires→]]>When maintaining windows server with puppet, it could be interesting to set your Administrator password to never expires.
Since you want to manage your passwords through puppet, and not manually by some hyper active sysadmin, this comes in handy.

Note the fact that it is wise to change passwords now and then

On Windows you can only manage passwords through puppet… not any other expire settings.
You can read here that puppet on Windows does not support manages_password_age.

You’d think that instead of using WMIC USERACCOUNT, you can use a simple ‘net user administrator /expires:never, but that does not seem to be the case. Although your puppet agent reports that the setting has been modified, it did not… I only got it working with the WMIC command.

Also, when using | in the unless, you need to put the cmd.exe /c in your command. This is intended behaviour because of this:

Exec: Execute external binaries on Windows systems. As with the posix provider, this provider directly calls the command with the arguments given, without passing it through a shell or performing any interpolation. To use shell built-ins – that is, to emulate the shell provider on Windows — a command must explicitly invoke the shell

]]>https://www.nicovs.be/puppet-on-windows-set-administrator-password-to-never-expires/feed/0293Restore a single MySQL Tablehttps://www.nicovs.be/restore-a-single-mysql-table/
https://www.nicovs.be/restore-a-single-mysql-table/#respondThu, 09 Jan 2014 10:14:43 +0000http://www.nicovs.be/?p=286Continue reading Restore a single MySQL Table→]]>If you ever had a problem with a MySQL Table being foobar because of a human error (or other bug), you might need to be able to restore only 1 single MySQL table.
Restoring an entire Database may cause other data loss, and this is of course something we don’t want.

So, if you have a mysql dump available, you can ‘filter’ our that specific table by using the sed command.

Let say the name of your table is tableToRestore and the file dbdump.sql is the file containing your database backup:

This will copy in the file dbdump.sql what is located between CREATE TABLE tableToRestore and the next CREATE TABLE corresponding to the next table.

You can then adjust the file dbdump_tableToRestore.sql which contains the structure of the table tableToRestore, and the data (a list of INSERT commands).

]]>https://www.nicovs.be/restore-a-single-mysql-table/feed/0286Configure NewRelic on Pleskhttps://www.nicovs.be/configure-newrelic-on-plesk/
https://www.nicovs.be/configure-newrelic-on-plesk/#respondTue, 15 Oct 2013 08:56:56 +0000http://www.nicovs.be/?p=266Continue reading Configure NewRelic on Plesk→]]>Installing NewRelic on a Plesk server is as straight forward as any other NewRelic installation. However… it’s not that easy to split up your PHP Applications on a per vhost configuration in Plesk.